tcpdump+ftp

tcpdump+ftp

tcpdump是网络数据抓取和收集工具，将网络中的数据包头截取出来以供分析；它支持端口、主机、网络、协议（tcp、udp、ICMP、ARP、IP、RARP）

tcpdump 使用场景：

1.服务器平时流量很少，突然把带宽跑满了，查看什么数据把带宽跑忙

2.访问服务器不成功，在服务器抓包，看是否有该IP的访问结果，多用于测试环境。

显示所有可以被tcpdump的接口

[root@host-10-59-17-148 ~]# tcpdump -D

1.eth0

2.nflog (Linux netfilter log (NFLOG) interface)

3.nfqueue (Linux netfilter queue (NFQUEUE) interface)

4.usbmon1 (USB bus number 1)

5.any (Pseudo-device that captures on all interfaces)

6.lo

获取指定接口数据的信息 tcpdump -i eth0

[root@host-10-59-17-148 ~]# tcpdump -i eth0 -c 10

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

09:52:59.096816 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 2129008946:2129009106, ack 3824319792, win 192, length 160

09:52:59.097343 IP 10.59.17.148.35564 > 10.59.63.17.domain: 10237+ PTR? 184.51.28.10.in-addr.arpa. (43)

09:52:59.097649 IP 10.59.63.17 > 10.59.17.148: ICMP 10.59.63.17 udp port domain unreachable, length 79

09:52:59.097852 IP 10.59.17.148.34826 > 10.59.63.17.domain: 10237+ PTR? 184.51.28.10.in-addr.arpa. (43)

09:52:59.098138 IP 10.59.63.17 > 10.59.17.148: ICMP 10.59.63.17 udp port domain unreachable, length 79

09:52:59.098232 IP 10.59.17.148.46195 > 10.59.63.17.domain: 35196+ PTR? 148.17.59.10.in-addr.arpa. (43)

09:52:59.098527 IP 10.59.63.17 > 10.59.17.148: ICMP 10.59.63.17 udp port domain unreachable, length 79

09:52:59.098567 IP 10.59.17.148.48257 > 10.59.63.17.domain: 35196+ PTR? 148.17.59.10.in-addr.arpa. (43)

09:52:59.098891 IP 10.59.63.17 > 10.59.17.148: ICMP 10.59.63.17 udp port domain unreachable, length 79

09:52:59.099076 IP 10.59.17.148.50525 > 10.59.63.17.domain: 2858+ PTR? 17.63.59.10.in-addr.arpa. (42)

10 packets captured

13 packets received by filter

0 packets dropped by kernel

将获取的数据信息写入xx.txt

[root@host-10-59-17-148 ~]# tcpdump -i eth0 -c 10 -w /tmp/script/eth0.txt

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10 packets captured

10 packets received by filter

0 packets dropped by kernel

查看获取的数据包

~

[root@host-10-59-17-148 ~]# tcpdump -r /tmp/script/eth0.txt

reading from file /tmp/script/eth0.txt, link-type EN10MB (Ethernet)

09:55:09.310846 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 2129012594:2129012770, ack 3824321712, win 192, length 176

09:55:09.317771 IP 10.28.51.184.amandaidx > 10.59.17.148.ssh: Flags [.], ack 176, win 254, length 0

09:55:09.333817 ARP, Request who-has 10.59.17.11 tell 10.59.17.4, length 46

09:55:09.373371 ARP, Request who-has 10.59.17.33 tell 10.59.17.34, length 46

09:55:09.505685 ARP, Request who-has 10.59.17.157 tell 10.59.17.152, length 28

09:55:09.694589 ARP, Request who-has 10.59.17.18 tell 10.59.17.99, length 46

09:55:10.016061 ARP, Request who-has 10.59.17.152 tell 10.59.17.153, length 46

09:55:10.110047 ARP, Request who-has 10.59.17.157 tell 10.59.17.153, length 46

09:55:10.373916 ARP, Request who-has 10.59.17.33 tell 10.59.17.34, length 46

09:55:10.507918 ARP, Request who-has 10.59.17.157 tell 10.59.17.152, length 28

指定协议和端口

[root@host-10-59-17-148 ~]# tcpdump tcp port 22 -c 10 -w /tmp/script/tcp.txt

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10 packets captured

10 packets received by filter

0 packets dropped by kernel

抓取指定源、目的IP上的数据包

[root@host-10-59-17-148 ~]# tcpdump -c 10 -i eth0 src 10.59.17.148

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

11:13:05.554801 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 2129940354:2129940594, ack 3824626192, win 606, length 240

11:13:05.555308 IP 10.59.17.148.45581 > 10.59.63.17.domain: 37884+ PTR? 184.51.28.10.in-addr.arpa. (43)

11:13:05.555686 IP 10.59.17.148.38354 > 10.59.63.17.domain: 37884+ PTR? 184.51.28.10.in-addr.arpa. (43)

11:13:05.556164 IP 10.59.17.148.38285 > 10.59.63.17.domain: 44942+ PTR? 148.17.59.10.in-addr.arpa. (43)

11:13:05.556501 IP 10.59.17.148.52575 > 10.59.63.17.domain: 44942+ PTR? 148.17.59.10.in-addr.arpa. (43)

11:13:05.556924 IP 10.59.17.148.42726 > 10.59.63.17.domain: 57686+ PTR? 17.63.59.10.in-addr.arpa. (42)

11:13:05.557294 IP 10.59.17.148.35129 > 10.59.63.17.domain: 57686+ PTR? 17.63.59.10.in-addr.arpa. (42)

11:13:05.557777 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 240:576, ack 1, win 606, length 336

11:13:05.558823 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 576:1312, ack 1, win 606, length 736

11:13:05.559813 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 1312:1520, ack 1, win 606, length 208

10 packets captured

10 packets received by filter

0 packets dropped by kernel

[root@host-10-59-17-148 ~]# tcpdump -c 10 dst 10.28.51.184

抓取两台主机之间的数据包 tcp 端口 22

[root@host-10-59-17-148 ~]# tcpdump -c 10 tcp port 22 and ( host 10.59.17.148 or host 10.28.51.184 )

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

11:09:57.629844 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 2129898018:2129898258, ack 3824590000, win 606, length 240

11:09:57.632795 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 240:464, ack 1, win 606, length 224

11:09:57.633818 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 464:672, ack 1, win 606, length 208

11:09:57.634817 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 672:880, ack 1, win 606, length 208

11:09:57.635799 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 880:1088, ack 1, win 606, length 208

11:09:57.640305 IP 10.28.51.184.amandaidx > 10.59.17.148.ssh: Flags [.], ack 880, win 258, length 0

11:09:57.640322 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 1088:1296, ack 1, win 606, length 208

11:09:57.640792 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 1296:1600, ack 1, win 606, length 304

11:09:57.641819 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 1600:1808, ack 1, win 606, length 208

11:09:57.642817 IP 10.59.17.148.ssh > 10.28.51.184.amandaidx: Flags [P.], seq 1808:2016, ack 1, win 606, length 208

10 packets captured

10 packets received by filter

0 packets dropped by kernel

-nn 不进行端口名称的转换

-X的官房说明是：

“分析和打印时，打印的每个数据包的报头，打印十六进制和ASCII的数据，每一个数据包（减去其链路层报头）”

说白了，就是以十六进制打印数据报文，但是不显示以太网祯的报头，只显示IP层的内容。

安装ftp服务

关闭防火墙和selinux

/etc/init.d/iptables stop

/etc/init.d/iptables status

SELINUX=disabled

vim /etc/selinux/config

查看是否安装ftp

[root@host-10-59-17-148 ~]# yum install ftp

[root@host-10-59-17-148 ~]# rpm -qa |grep vsftp

如果安装了会出现安装版本信息

安装ftp

[root@host-10-59-17-148 ~]# yum install -y vsftpd

[root@host-10-59-17-148 ~]# rpm -qa |grep vsftpd

vsftpd-2.2.2-24.el6.x86_64

配置文件

/etc/vsftpd/vsftpd.conf

备份

[root@host-10-59-17-148 ~]# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak

修改配置文件

[root@host-10-59-17-148 ~]# vim /etc/vsftpd/vsftpd.conf

#允许匿名登陆

anonymous_enable=Yes

#允许本地用户模式

local_enable=YES

#设置可写权限

write_enable=YES

#本地用户创建文件的umask值

local_umask=002

#允许匿名登录

anon_upload_enable=YES

#允许匿名创建

anon_mkdir_write_enable=YES

#匿名创建文件的umask值

anon_umask=022

dirmessage_enable=YES

#启用一个日志文件，用于详细记录上传和下载

xferlog_enable=YES

#开启20端口

connect_from_port_20=YES

#日志路径

xferlog_file=/var/log/xferlog

#日志标准格式

xferlog_std_format=YES

#登陆之后超时时间60秒，登陆之后，一分钟不操作，就会断开连接。

idle_session_timeout=600

#用于指定用户列表文件中的用户,是否允许切换到上级目录

chroot_local_user=YES

listen=YES

pam_service_name=vsftpd

userlist_enable=NO

tcp_wrappers=YES

[root@host-10-59-17-148 ~]# cat /etc/vsftpd/vsftpd.conf |grep -v “#”

anonymous_enable=YES

local_enable=YES

write_enable=YES

local_umask=002

anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_file=/var/log/xferlog

xferlog_std_format=YES

idle_session_timeout=600

data_connection_timeout=120

chroot_local_user=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/chroot_list

listen=YES

pam_service_name=vsftpd

userlist_enable=NO

tcp_wrappers=YES

创建ftp用户ftp_test1

[root@host-10-59-17-148 ~]# useradd -d /ftp_data -g ftp -s /sbin/nologin ftp_test1

ftp_data是ftp_test1用户的主目录

ftp_test1是ftp用户

[root@host-10-59-17-148 ~]# useradd -d /ftp_data -g ftp -s /sbin/nologin ftp_test1

[root@host-10-59-17-148 ~]# passwd ftp_test1

Changing password for user ftp_test1.

New password:

BAD PASSWORD: it is too simplistic/systematic

Retype new password:

passwd: all authentication tokens updated successfully.

[root@host-10-59-17-148 ~]ftp123456

添加ftp用户ftp_test1到

/etc/vsftpd/user_list

/etc/vsftpd/chroot_list

在另一个窗口使用

[root@host-10-59-17-148 ~]# netstat -lnp |grep ftp

tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2743/vsftpd

抓包命令

tcpdump -i lo port 21 -X

[root@host-10-59-17-148 ~]# tcpdump tcp port 21 -i lo -X |grep -i -E “USER|pass”

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

0x0030: 4cc2 6dde 5553 4552 2066 7470 5f74 6573 L.m.USER.ftp_tes

0x0040: 7065 6369 6679 2074 6865 2070 6173 7377 pecify.the.passw

0x0030: 4cc2 8093 5041 5353 2066 7470 3132 3334 L…PASS.ftp1234

写入

tcpdump tcp port 21 -i lo -X -w /tmp/script/ftp_tcpdump.txt

查看

tcpdump -X -r ftp_tcpdump.txt |grep -i -E “pass|user”

登陆

[root@host-10-59-17-148 ~]# service vsftpd restart

Shutting down vsftpd: [ OK ]

Starting vsftpd for vsftpd: [ OK ]

[root@host-10-59-17-148 ~]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:root): ftp_test1

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

出错日志：

在 /var/log/secure